Monday, February 8, 2016

Installing a signed SSL cert for EMC ECS Object services

I was working thorough a proof of concept for a customer backing up Cassandra to an S3 object store this weekend. Since I already had the EMC ECS community edition running in the lab I had an S3 object store ready to go, but I needed to install a signed certificate on it to make my customers backup  of Cassandra data to object storage work.

If you are looking for an object store to play with EMC ECS is available free for non-production use. You can get it here, and the EMC CODE team has been nice enough to package up docker containers of the nodes.

Why do I need to do this?

You will want to leverage a signed cert any time your clients need secured access to the object store. You can use a cert from your internal certificate authority as long as it is added to the trusted root of your clients, or one from a public trusted certificate authority.

Let's dive into the technical details after the break.



Prerequisites

  • Generate a new private key ( openssl genrsa -out ecs.key 2048 )
  • Generate a new cert request ( openssl req -new -out ecs.req -key ecs.key -config openssl.cnf -sha256 ) Note that any subject alternative names should be defined in your .cnf file, I have an example here. Note that depending on how your clients address buckets with the S3 protocol you may need a wildcard cert.
  • Submit the request to your CA and get your cert (I used my local Microsoft CA in my lab).

Applying the Cert

Now that we have a signed cert and a private key we need to combine them into an xml file in a format that can be interpreted by the ECS API. The formatting needs to look like this :

<rotate_keycertchain>
   <ip_addresses>
      <ip_address></ip_address>
   </ip_addresses>
   <system_selfsigned></system_selfsigned>
   <key_and_certificate>
      <private_key></private_key>
      <certificate_chain></certificate_chain>
   </key_and_certificate>
</rotate_keycertchain>

Copy this text into a new document, paste in your key and cert chain, and save the document as an XML file.

We are now ready to apply the cert to the ECS appliance via the API. The first step is to authenticate with one of the API using curl and save the auth token.
curl -L --location-trusted -k https://192.168.120.9:4443/login -u "root:Password" -v

> GET /login HTTP/1.1
> Authorization: Basic cm9vdDpDaGFuZ2VNZQ==
> User-Agent: curl/7.24.0 (i386-pc-win32) libcurl/7.24.0 OpenSSL/0.9.8t zlib/1.2.5
> Host: 192.168.120.9:4443
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 7 Dec 2016 22:18:25 GMT
< Content-Type: application/xml
< Content-Length: 93
< Connection: keep-alive
< X-SDS-AUTH-TOKEN: BAAcQ0xOd3g0MjRCUG4zT3NJdnNuMlAvQTFYblNrPQMAUAQADTEzODU0OTQ4NzYzNTICAAEABQA5dXJuOnN0b3JhZ2VvczpUb2tlbjo2MjIxOTcyZS01NGUyLTRmNWQtYWZjOC1kMGE3ZDJmZDU3MmU6AgAC0A8=
<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loggedIn>
   <user>root</user>
</loggedIn>
* Connection #0 to host 192.168.120.9 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1): 
Once you have the auth token you are ready to post the XML file containing the key and cert using curl and supplying our auth token. Here is an example of the formatting:

[root@ecs OPENSSL]# curl -k https://192.168.120.9:4443/object-cert/keystore -v -H "X-SDS-AUTH-TOKEN: BAAca1p3d0RrK1dRWmRuaENtWm1BU3lPVGVycGk4PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjJjMmU0OWYwLWQ1YWYtNDAwZi1iZTllLTVmMDI2ZjM4ZDYyMwIADTE0NTQ4Nzg4NjMzODYDAC51cm46VG9rZW46MWZmY2Y4ODAtYTgzNS00NmQ5LWEyOTEtNTA4OWE3YjY1MmQyAgAC0A8=" -H "Content-Type: application/xml" --upload-file ecs2.xml
Valid Response :
* About to connect() to 192.168.120.9 port 4443 (#0)
*   Trying 192.168.120.9...
* Connected to 192.168.120.9 (192.168.120.9) port 4443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=localhost
*       start date: Feb 05 21:04:09 2016 GMT
*       expire date: Feb 02 21:04:09 2026 GMT
*       common name: localhost
*       issuer: CN=localhost
> PUT /object-cert/keystore HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.120.9:4443
> Accept: */*
> X-SDS-AUTH-TOKEN: BAAca1p3d0RrK1dRWmRuaENtWm1BU3lPVGVycGk4PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjJjMmU0OWYwLWQ1YWYtNDAwZi1iZTllLTVmMDI2ZjM4ZDYyMwIADTE0NTQ4Nzg4NjMzODYDAC51cm46VG9rZW46MWZmY2Y4ODAtYTgzNS00NmQ5LWEyOTEtNTA4OWE3YjY1MmQyAgAC0A8=
> Content-Type: application/xml
> Content-Length: 4000
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Date: Mon, 08 Feb 2016 02:55:39 GMT
< Content-Type: application/xml
< Content-Length: 2276
< Connection: keep-alive
<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><certificate_chain><chain>-----BEGIN CERTIFICATE-----
MIIFoTCCBImgAwIBAgITPAAAAAZBocYS2qq5mgAAAAAABjANBgkqhkiG9w0BAQsFADBTMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZkZndsYWIxIjAgBgNVBAMTGWRmd2xhYi1XSU4tQ0pISEVVQ1NJUjAtQ0EwHhcNMTYwMjBMMDIzMTA1WhcNMTcwMjA4MDI0MTA1WjBdMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkRhbGxhczEVMBMGA1UECxMMZGZ3bGFiLmxvY2FsMRkwFwYDVQQDExBlY3MuZGZ3bGFiLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp8jrKAWUDyxzzDmX5x+FNbHxuBia7Tgpdzc3XBqevMYMsXiF8rfQv4/TNiqGJ//xOCRPe3tL/O6RWI48039PLNlK2K8pzqyp3sLnm4eIaDzJgXPzOptDuWLV/ea7WMscAjsi611RrINYz/lDkChW4rkF2oQQQvUZg49HzyeQUOM3XYXYM4XXxqIHKQQRf4rEBVHtPOfWy9S6q7yECCcRKqxZSDN7099HmgMGr4OHud+KFrV0eKS0ELN7Bzo5RvWM+yZsp5SYUlnlxO9TWriXNT4LDYHVGcpqccg59lKiHhXwuYiWJhfMJ0C8Nd4poq0MxLfwqvEqOFsFU39nQlE5HwIDAQABo4ICYjCCAl4wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwTwYDVR0RBEgwRoIVZGF0YS5lY3MuZGZ3bGFiLmxvY2FsghBzMy5hbWF6b25hd3MuY29tghVkYXRhLnMzLmFtYXpvbmF3cy5jb22HBMCoeAkwHQYDVR0OBBYEFKwcz///yQDXjGD9XtwLk6dL5OMDMB8GA1UdIwQYMBaAFDMa640lsbsJDWK0Y3K65vL5FaAvMIHgBgNVHR8EgdgwgdUwgdKggc+ggcyGgclsZGFwOi8vL0NOPWRmd2xhYi1XSU4tQ0pISEVVQ1NJUjAtQ0EsQ049V0lOLUNKSEhFVUNTSVIwLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRmd2xhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcwGCCsGAQUFBwEBBIG/MIG8MIG5BggrBgEFBQcwAoaBrGxkYXA6Ly8vQ049ZGZ3bGFiLVdJTi1DSkhIRVVDU0lSMC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1kZndsYWIsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQELBQADggEBADLdiSMQ4UzGwGANJsT5SOkHzT6dCUtp/zaqyDxeDMfdpKRCPXcfqdGQgV+gR8TjSsRrd63iCo4N6tm13lgWPaedkhZz5ulwfffy+pnxUDY8GX+PmWgqN6fS9AhlzbMCwqGC/Jr3aBB/cWDPKuVDCYSkfkAGWebBwzIeEDHj516DXkSysPi+ZimRlEuJXg9GJu+U3nV2QhEEZj8bw6WNd8j114Hcn77wEMofbCOvTxTKtDJ7RbNi4DYTB3n5mQ4iYdxWDr7ljzuH7wKMJ+dBfhL0bzmOmAhy8xafJ8ous0Yi6qX1O/Xc3yHuoM+RbnrzHpYXxK5/WHF7N+4NamJ9iDc=&amp
* Connection #0 to host 192.168.120.9 left intact

 Ok, so how do I know this worked? If the response includes the key like above, it should have worked. You need to wait for up to one hour for your key to propagate to all ECS nodes, and after that we can check from a client. Using openssl you can check the validity of the key of the ECS S3 service on port 9021 : openssl s_client -showcerts -connect 192.168.120.9:9021 | grep -i "verify return", if you get a return code of 0 (ok) then you should be good to go. You can also hit port 9021 with a web browser to inspect the cert.



0 comments:

Post a Comment